Managing the TPM


Before you can use the TPM, you must initialize the TPM for first use and turn on the TPM. Once the TPM is enabled, you can manage the TPM configuration. The sections that follow discuss:

  • Initializing the TPM for first use.

  • Turning off and clearing the TPM.

  • Changing the TPM owner password.

    Caution 

    While understanding how TPMs are managed is important for getting a complete understanding of using the Trusted Platform Module Services architecture, managing TPMs isn’t something inexperienced users or administrators should attempt. Only experienced administrators should attempt to manage TPMs, and even then, only as necessary.

Initializing a TPM for First Use

Initializing a TPM configures it for use on a computer. The initialization process involves turning on the TPM and then setting ownership of the TPM. Although Windows Vista supports remote initialization of a TPM, you must have local access to the computer to turn on the TPM. On some new computers, the TPM is turned on by default. If this is the case with the computer you are working with, you can complete the initialization of the TPM remotely.

To initialize the TPM on your computer for first use, complete the following steps:

  1. Log on locally to the computer with local administrator credentials.

  2. Start the Trusted Platform Module Management console.

  3. Under Actions, click Initialize TPM to start the TPM Initialization Wizard. On the Welcome page, click Next.

  4. The next step depends on the state of the TPM:

    • If the TPM Initialization Wizard detects a BIOS that does not meet Windows Vista requirements, you will not be able to continue with the wizard. Instead, you will be alerted to consult the computer manufacturer’s documentation for instructions on turning on the TPM.

    • If the TPM is turned off, the TPM Initialization Wizard displays the Turn On The TPM Security Hardware page. Follow the instructions for turning on the TPM. Click Shutdown (or Restart), and then follow the BIOS screen prompts. After the computer restarts, confirm that you want to turn on the TPM when prompted.

    • If the TPM is already turned on, the first page you see is the Create The TPM Owner Password page. For details about setting the owner password, see the next procedure.

The second part of initializing the TPM for first use is setting ownership. By setting ownership of the TPM, you are assigning a password that helps ensure that only the authorized TPM owner can access and manage the TPM. The TPM password is required to turn off the TPM if you no longer want to use it and to clear the TPM if the computer is to be recycled.

To set the ownership of the TPM on your computer, complete the following steps:

  1. Log on locally to the computer with local administrator credentials.

  2. Start the Trusted Platform Module Management console.

  3. Under Actions, click Initialize TPM to start the TPM Initialization Wizard. On the Welcome page, click Next.

  4. On the Create The TPM Owner Password page, select Automatically Create The Password (Recommended), and then click Next.

  5. On the Save Your TPM Owner Password page, click Save, and then select a location to save the password. Ideally, you’ll save the TPM ownership password to removable media, such as a universal serial bus (USB) flash drive.

  6. Click Save again. The password file is saved as computer_name. tpm.

  7. Click Print if you want to print a hard copy of your password. Be sure to save the printout containing the password in a secure location.

  8. Click Initialize. The initialization process might take several minutes to complete.

  9. When initialization is complete, click Close. The status of the TPM is displayed under Status in the TPM Management console.

Turning Off and Clearing the TPM

New computers that have a TPM might arrive with the TPM turned on by default. If you decide not to use the TPM, you should turn off and clear the TPM. If you want to reconfigure or recycle a computer, you should also turn off and clear the TPM. Windows Vista supports remotely turning off and clearing a TPM as well as using scripts to turn off and clear a TPM.

To turn off the TPM, complete the following steps:

  1. Log on locally to the computer with local administrator credentials.

  2. Start the Trusted Platform Module Management console.

  3. Under Actions, click Turn TPM Off.

  4. In the Turn Off The TPM Security Hardware dialog box, select one of the following methods for entering your password and turning off the TPM:

    • If you have the removable media on which you saved your TPM owner password, insert it, and then click I Have A Backup File With The TPM Owner Password. In the Select Backup File With The TPM Owner Password dialog box, click Browse, and then use the Open dialog box to locate the .tpm file saved on your removable media. Click Open, and then click Turn TPM Off.

    • If you do not have the removable media on which you saved your password, click I Want To Type The TPM Owner Password. In the Type Your TPM Owner Password dialog box, type your password (including dashes), and then click Turn TPM Off.

    • If you do not know your TPM owner password, click I Don’t Have The TPM Owner Password, and then follow the instructions provided to turn off the TPM without entering the password. Because you are logged on locally to the computer, you will be able to turn off the TPM.

Clearing the TPM cancels the TPM ownership and finalizes the shutdown of the TPM. You should clear the TPM only when a TPM-equipped client computer is to be recycled or when the TPM owner has lost the TPM owner password and recovery information was not backed up.

To clear the TPM, complete the following steps:

  1. Log on locally to the computer with local administrator credentials.

  2. Start the Trusted Platform Module Management console.

  3. Under Actions, click Clear TPM.

    Caution 

    Clearing the TPM resets it to factory defaults and finalizes its shutdown. As a result, you will lose all created keys and data protected by those keys.

  4. In the Clear The TPM Security Hardware dialog box, select a method for entering your password and clearing the TPM:

    • If you have the removable media on which you saved your TPM owner password, insert it, and then click I Have A Backup File With The TPM Owner Password. In the Select Backup File With The TPM Owner Password dialog box, click Browse, and then use the Open dialog box to locate the .tpm file saved on your removable media. Click Open, and then click Clear TPM.

    • If you do not have the removable media on which you saved your password, click I Want To Type The TPM Owner Password. In the Type Your TPM Owner Password dialog box, enter your password (including dashes) and then click Clear TPM.

    • If you do not know your TPM owner password, click I Don’t Have The TPM Owner Password, and then follow the instructions provided to clear the TPM without entering the password. Because you are logged on locally to the computer, you will be able to clear the TPM.

    1. The status of the TPM is displayed under Status in the TPM Management console.

Changing the TPM Owner Password

If you suspect that the TPM owner password has been compromised, you can change the password by using the Trusted Platform Module Management console. To change the TPM owner password, complete the following steps:

  1. Log on locally to the computer with local administrator credentials.

  2. Start the Trusted Platform Module Management console.

  3. Under Actions, click Change Owner Password.

  4. Follow the prompts to provide the current password and change the password.




Introducing Microsoft Windows Vista
Introducing Microsoft Windows Vista
ISBN: 0735622841
EAN: 2147483647
Year: 2006
Pages: 101

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net